doorkeeper 5.5.2 → 5.6.6

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -13,6 +13,7 @@ module Doorkeeper
     include Models::SecretStorable
     include Models::Scopes
     include Models::ResourceOwnerable
+    include Models::ExpirationTimeSqlMath
 
     module ClassMethods
       # Returns an instance of the Doorkeeper::AccessToken with
@@ -86,8 +87,9 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken, nil] Access Token instance or
       #   nil if matching record was not found
       #
-      def matching_token_for(application, resource_owner, scopes)
+      def matching_token_for(application, resource_owner, scopes, include_expired: true)
         tokens = authorized_tokens_for(application&.id, resource_owner)
+        tokens = tokens.not_expired unless include_expired
         find_matching_token(tokens, application, scopes)
       end
 
@@ -104,9 +106,7 @@ module Doorkeeper
       #
       # ActiveRecord 5.x - 6.x ignores custom ordering so we can't perform a
       # database sort by created_at, so we need to load all the matching records,
-      # sort them and find latest one. Probably it would be better to rewrite this
-      # query using Time math if possible, but we n eed to consider ORM and
-      # different databases support.
+      # sort them and find latest one.
       #
       # @param relation [ActiveRecord::Relation]
       #   Access tokens relation
@@ -181,7 +181,7 @@ module Doorkeeper
       #
       def find_or_create_for(application:, resource_owner:, scopes:, **token_attributes)
         if Doorkeeper.config.reuse_access_token
-          access_token = matching_token_for(application, resource_owner, scopes)
+          access_token = matching_token_for(application, resource_owner, scopes, include_expired: false)
 
           return access_token if access_token&.reusable?
         end
@@ -213,7 +213,7 @@ module Doorkeeper
       # @return [Doorkeeper::AccessToken] new access token
       #
       def create_for(application:, resource_owner:, scopes:, **token_attributes)
-        token_attributes[:application_id] = application&.id
+        token_attributes[:application] = application
         token_attributes[:scopes] = scopes.to_s
 
         if Doorkeeper.config.polymorphic_resource_owner?
@@ -279,7 +279,7 @@ module Doorkeeper
     end
 
     # Access Token type: Bearer.
-    # @see https://tools.ietf.org/html/rfc6750
+    # @see https://datatracker.ietf.org/doc/html/rfc6750
     #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
     #
     def token_type

data/lib/doorkeeper/models/concerns/expiration_time_sql_math.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module ExpirationTimeSqlMath
+      extend ::ActiveSupport::Concern
+
+      class ExpirationTimeSqlGenerator
+        attr_reader :model
+
+        delegate :table_name, to: :@model
+
+        def initialize(model)
+          @model = model
+        end
+
+        def generate_sql
+          raise "`generate_sql` should be overridden for a #{self.class.name}!"
+        end
+      end
+
+      class MySqlExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATE_ADD(#{table_name}.created_at, INTERVAL #{table_name}.expires_in SECOND)")
+        end
+      end
+
+      class SqlLiteExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATETIME(#{table_name}.created_at, '+' || #{table_name}.expires_in || ' SECONDS')")
+        end
+      end
+
+      class SqlServerExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("DATEADD(second, #{table_name}.expires_in, #{table_name}.created_at) AT TIME ZONE 'UTC'")
+        end
+      end
+
+      class OracleExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + INTERVAL to_char(#{table_name}.expires_in) second")
+        end
+      end
+
+      class PostgresExpirationTimeSqlGenerator < ExpirationTimeSqlGenerator
+        def generate_sql
+          Arel.sql("#{table_name}.created_at + #{table_name}.expires_in * INTERVAL '1 SECOND'")
+        end
+      end
+
+      ADAPTERS_MAPPING = {
+        "sqlite" => SqlLiteExpirationTimeSqlGenerator,
+        "sqlite3" => SqlLiteExpirationTimeSqlGenerator,
+        "postgis" => PostgresExpirationTimeSqlGenerator,
+        "postgresql" => PostgresExpirationTimeSqlGenerator,
+        "mysql" => MySqlExpirationTimeSqlGenerator,
+        "mysql2" => MySqlExpirationTimeSqlGenerator,
+        "trilogy" => MySqlExpirationTimeSqlGenerator,
+        "sqlserver" => SqlServerExpirationTimeSqlGenerator,
+        "oracleenhanced" => OracleExpirationTimeSqlGenerator,
+      }.freeze
+
+      module ClassMethods
+        def supports_expiration_time_math?
+          ADAPTERS_MAPPING.key?(adapter_name.downcase) ||
+            respond_to?(:custom_expiration_time_sql)
+        end
+
+        def expiration_time_sql
+          if respond_to?(:custom_expiration_time_sql)
+            custom_expiration_time_sql
+          else
+            expiration_time_sql_expression
+          end
+        end
+
+        def expiration_time_sql_expression
+          ADAPTERS_MAPPING.fetch(adapter_name.downcase).new(self).generate_sql
+        end
+
+        def adapter_name
+          ActiveRecord::Base.connection.adapter_name
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/concerns/polymorphic_resource_owner.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Doorkeeper
+  module Models
+    module PolymorphicResourceOwner
+      module ForAccessGrant
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: false
+          else
+            validates :resource_owner_id, presence: true
+          end
+        end
+      end
+
+      module ForAccessToken
+        extend ActiveSupport::Concern
+
+        included do
+          if Doorkeeper.config.polymorphic_resource_owner?
+            belongs_to :resource_owner, polymorphic: true, optional: true
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/doorkeeper/oauth/authorization/code.rb

@@ -45,7 +45,13 @@ module Doorkeeper
             attributes[:resource_owner_id] = resource_owner.id
           end
 
-          pkce_attributes.merge(attributes)
+          pkce_attributes.merge(attributes).merge(custom_attributes)
+        end
+
+        def custom_attributes
+          # Custom access token attributes are saved into the access grant,
+          # and then included in subsequently generated access tokens.
+          @pre_auth.custom_access_token_attributes.to_h.with_indifferent_access
         end
 
         def pkce_attributes

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -60,7 +60,7 @@ module Doorkeeper
           )
 
           @token = Doorkeeper.config.access_token_model.find_or_create_for(
-            application: pre_auth.client,
+            application: application,
             resource_owner: resource_owner,
             scopes: pre_auth.scopes,
             expires_in: self.class.access_token_expires_in(Doorkeeper.config, context),
@@ -68,6 +68,12 @@ module Doorkeeper
           )
         end
 
+        def application
+          return unless pre_auth.client
+
+          pre_auth.client.is_a?(Doorkeeper.config.application_model) ? pre_auth.client : pre_auth.client.application
+        end
+
         def oob_redirect
           {
             controller: controller,

data/lib/doorkeeper/oauth/authorization_code_request.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
-      # @see https://tools.ietf.org/html/rfc6749#section-5.2
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
       validate :code_verifier, error: :invalid_grant
 
@@ -35,6 +35,7 @@ module Doorkeeper
             grant.application,
             resource_owner,
             grant.scopes,
+            custom_token_attributes_with_data,
             server,
           )
         end
@@ -55,11 +56,12 @@ module Doorkeeper
       end
 
       def validate_params
-        @missing_param = if grant&.uses_pkce? && code_verifier.blank?
-                           :code_verifier
-                         elsif redirect_uri.blank?
-                           :redirect_uri
-                         end
+        @missing_param =
+          if grant&.uses_pkce? && code_verifier.blank?
+            :code_verifier
+          elsif redirect_uri.blank?
+            :redirect_uri
+          end
 
         @missing_param.nil?
       end
@@ -97,7 +99,15 @@ module Doorkeeper
       end
 
       def generate_code_challenge(code_verifier)
-        server_config.access_grant_model.generate_code_challenge(code_verifier)
+        Doorkeeper.config.access_grant_model.generate_code_challenge(code_verifier)
+      end
+
+      def custom_token_attributes_with_data
+        grant
+          .attributes
+          .with_indifferent_access
+          .slice(*Doorkeeper.config.custom_access_token_attributes)
+          .symbolize_keys
       end
     end
   end

data/lib/doorkeeper/oauth/base_request.rb

@@ -26,27 +26,28 @@ module Doorkeeper
         @scopes ||= build_scopes
       end
 
-      def find_or_create_access_token(client, resource_owner, scopes, server)
+      def find_or_create_access_token(client, resource_owner, scopes, custom_attributes, server)
         context = Authorization::Token.build_context(client, grant_type, scopes, resource_owner)
-        @access_token = server_config.access_token_model.find_or_create_for(
-          application: client,
+        application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+
+        token_attributes = {
+          application: application,
           resource_owner: resource_owner,
           scopes: scopes,
           expires_in: Authorization::Token.access_token_expires_in(server, context),
           use_refresh_token: Authorization::Token.refresh_token_enabled?(server, context),
-        )
+        }
+
+        @access_token =
+          Doorkeeper.config.access_token_model.find_or_create_for(**token_attributes.merge(custom_attributes))
       end
 
       def before_successful_response
-        server_config.before_successful_strategy_response.call(self)
+        Doorkeeper.config.before_successful_strategy_response.call(self)
       end
 
       def after_successful_response
-        server_config.after_successful_strategy_response.call(self, @response)
-      end
-
-      def server_config
-        Doorkeeper.config
+        Doorkeeper.config.after_successful_strategy_response.call(self, @response)
       end
 
       private

data/lib/doorkeeper/oauth/client_credentials/creator.rb

@@ -8,13 +8,14 @@ module Doorkeeper
           existing_token = nil
 
           if lookup_existing_token?
-            existing_token = find_existing_token_for(client, scopes)
-            return existing_token if server_config.reuse_access_token && existing_token&.reusable?
+            existing_token = find_active_existing_token_for(client, scopes)
+            return existing_token if Doorkeeper.config.reuse_access_token && existing_token&.reusable?
           end
 
           with_revocation(existing_token: existing_token) do
-            server_config.access_token_model.find_or_create_for(
-              application: client,
+            application = client.is_a?(Doorkeeper.config.application_model) ? client : client&.application
+            Doorkeeper.config.access_token_model.create_for(
+              application: application,
               resource_owner: nil,
               scopes: scopes,
               **attributes,
@@ -25,7 +26,7 @@ module Doorkeeper
         private
 
         def with_revocation(existing_token:)
-          if existing_token && server_config.revoke_previous_client_credentials_token?
+          if existing_token && Doorkeeper.config.revoke_previous_client_credentials_token?
             existing_token.with_lock do
               raise Errors::DoorkeeperError, :invalid_token_reuse if existing_token.revoked?
 
@@ -39,16 +40,12 @@ module Doorkeeper
         end
 
         def lookup_existing_token?
-          server_config.reuse_access_token ||
-            server_config.revoke_previous_client_credentials_token?
+          Doorkeeper.config.reuse_access_token ||
+            Doorkeeper.config.revoke_previous_client_credentials_token?
         end
 
-        def find_existing_token_for(client, scopes)
-          server_config.access_token_model.matching_token_for(client, nil, scopes)
-        end
-
-        def server_config
-          Doorkeeper.config
+        def find_active_existing_token_for(client, scopes)
+          Doorkeeper.config.access_token_model.matching_token_for(client, nil, scopes, include_expired: false)
         end
       end
     end

data/lib/doorkeeper/oauth/client_credentials/validator.rb

@@ -35,13 +35,12 @@ module Doorkeeper
         end
 
         def validate_scopes
-          return true if @request.scopes.blank?
-
           application_scopes = if @client.present?
                                  @client.application.scopes
                                else
                                  ""
                                end
+          return true if @request.scopes.blank? && application_scopes.blank?
 
           ScopeChecker.valid?(
             scope_str: @request.scopes.to_s,

data/lib/doorkeeper/oauth/error_response.rb

@@ -55,8 +55,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
           "WWW-Authenticate" => authenticate_info,
         }

data/lib/doorkeeper/oauth/forbidden_token_response.rb

@@ -23,7 +23,8 @@ module Doorkeeper
       end
 
       def description
-        @description ||= @scopes.map { |s| I18n.t(s, scope: %i[doorkeeper scopes]) }.join("\n")
+        @description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
+                                oauth_scopes: @scopes.map(&:to_s).join(" "),)
       end
 
       protected

data/lib/doorkeeper/oauth/helpers/unique_token.rb

@@ -11,8 +11,8 @@ module Doorkeeper
           # Access Token value must be 1*VSCHAR or
           # 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
           #
-          # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
-          # @see https://tools.ietf.org/html/rfc6750#section-2.1
+          # @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
+          # @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
           #
           generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
           token_size = options.delete(:size) || 32

data/lib/doorkeeper/oauth/helpers/uri_checker.rb

@@ -28,7 +28,7 @@ module Doorkeeper
           end
 
           # RFC8252, Paragraph 7.3
-          # @see https://tools.ietf.org/html/rfc8252#section-7.3
+          # @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
           if loopback_uri?(url) && loopback_uri?(client_url)
             url.port = nil
             client_url.port = nil
@@ -61,9 +61,9 @@ module Doorkeeper
         end
 
         def self.valid_scheme?(uri)
-          return false if uri.scheme.nil?
+          return false if uri.scheme.blank?
 
-          %w[localhost].include?(uri.scheme) == false
+          %w[localhost].exclude?(uri.scheme)
         end
 
         def self.hypertext_scheme?(uri)
@@ -71,7 +71,7 @@ module Doorkeeper
         end
 
         def self.iff_host?(uri)
-          !(hypertext_scheme?(uri) && uri.host.nil?)
+          !(hypertext_scheme?(uri) && uri.host.blank?)
         end
 
         def self.oob_uri?(uri)

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -25,7 +25,7 @@ module Doorkeeper
       private
 
       def before_successful_response
-        find_or_create_access_token(client, resource_owner, scopes, server)
+        find_or_create_access_token(client, resource_owner, scopes, {}, server)
         super
       end
 
@@ -57,7 +57,7 @@ module Doorkeeper
       #
       #    o  authenticate the client if client authentication is included,
       #
-      #   @see https://tools.ietf.org/html/rfc6749#section-4.3
+      #   @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
       #
       def validate_client
         if Doorkeeper.config.skip_client_authentication_for_password_grant
@@ -68,7 +68,7 @@ module Doorkeeper
       end
 
       def validate_client_supports_grant_flow
-        server_config.allow_grant_flow_for_client?(grant_type, client&.application)
+        Doorkeeper.config.allow_grant_flow_for_client?(grant_type, client&.application)
       end
     end
   end

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -18,19 +18,20 @@ module Doorkeeper
 
       attr_reader :client, :code_challenge, :code_challenge_method, :missing_param,
                   :redirect_uri, :resource_owner, :response_type, :state,
-                  :authorization_response_flow, :response_mode
+                  :authorization_response_flow, :response_mode, :custom_access_token_attributes
 
       def initialize(server, parameters = {}, resource_owner = nil)
-        @server                = server
-        @client_id             = parameters[:client_id]
-        @response_type         = parameters[:response_type]
-        @response_mode         = parameters[:response_mode]
-        @redirect_uri          = parameters[:redirect_uri]
-        @scope                 = parameters[:scope]
-        @state                 = parameters[:state]
-        @code_challenge        = parameters[:code_challenge]
+        @server = server
+        @client_id = parameters[:client_id]
+        @response_type = parameters[:response_type]
+        @response_mode = parameters[:response_mode]
+        @redirect_uri = parameters[:redirect_uri]
+        @scope = parameters[:scope]
+        @state = parameters[:state]
+        @code_challenge = parameters[:code_challenge]
         @code_challenge_method = parameters[:code_challenge_method]
-        @resource_owner        = resource_owner
+        @resource_owner = resource_owner
+        @custom_access_token_attributes = parameters.slice(*Doorkeeper.config.custom_access_token_attributes)
       end
 
       def authorizable?

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -26,7 +26,7 @@ module Doorkeeper
       private
 
       def load_client(credentials)
-        server_config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
+        Doorkeeper.config.application_model.by_uid_and_secret(credentials.uid, credentials.secret)
       end
 
       def before_successful_response
@@ -41,7 +41,7 @@ module Doorkeeper
       end
 
       def refresh_token_revoked_on_use?
-        server_config.access_token_model.refresh_token_revoked_on_use?
+        Doorkeeper.config.access_token_model.refresh_token_revoked_on_use?
       end
 
       def default_scopes
@@ -49,7 +49,7 @@ module Doorkeeper
       end
 
       def create_access_token
-        attributes = {}
+        attributes = {}.merge(custom_token_attributes_with_data)
 
         resource_owner =
           if Doorkeeper.config.polymorphic_resource_owner?
@@ -75,7 +75,7 @@ module Doorkeeper
         # Here we assume that TTL of the token received after refreshing should be
         # the same as that of the original token.
         #
-        @access_token = server_config.access_token_model.create_for(
+        @access_token = Doorkeeper.config.access_token_model.create_for(
           application: refresh_token.application,
           resource_owner: resource_owner,
           scopes: scopes,
@@ -101,7 +101,7 @@ module Doorkeeper
         client.present?
       end
 
-      # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
       #
       def validate_client_match
         return true if refresh_token.application_id.blank?
@@ -119,6 +119,14 @@ module Doorkeeper
           true
         end
       end
+
+      def custom_token_attributes_with_data
+        refresh_token
+        .attributes
+        .with_indifferent_access
+        .slice(*Doorkeeper.config.custom_access_token_attributes)
+        .symbolize_keys
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/token_introspection.rb

@@ -4,7 +4,7 @@ module Doorkeeper
   module OAuth
     # RFC7662 OAuth 2.0 Token Introspection
     #
-    # @see https://tools.ietf.org/html/rfc7662
+    # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
       def initialize(server, token)
         @server = server
@@ -107,7 +107,7 @@ module Doorkeeper
       # authorization server SHOULD NOT include any additional information
       # about an inactive token, including why the token is inactive.
       #
-      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      # @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
       #
       def failure_response
         {
@@ -134,7 +134,7 @@ module Doorkeeper
       # Since resource servers using token introspection rely on the
       # authorization server to determine the state of a token, the
       # authorization server MUST perform all applicable checks against a
-      # token's state.  For instance, these tests include the following:
+      # token's state. For instance, these tests include the following:
       #
       #    o  If the token can expire, the authorization server MUST determine
       #       whether or not the token has expired.
@@ -186,7 +186,7 @@ module Doorkeeper
       # Provides context (controller) and token for generating developer-specific
       # response.
       #
-      # @see https://tools.ietf.org/html/rfc7662#section-2.2
+      # @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
       #
       def customize_response(response)
         customized_response = Doorkeeper.config.custom_introspection_response.call(

data/lib/doorkeeper/oauth/token_response.rb

@@ -26,8 +26,7 @@ module Doorkeeper
 
       def headers
         {
-          "Cache-Control" => "no-store",
-          "Pragma" => "no-cache",
+          "Cache-Control" => "no-store, no-cache",
           "Content-Type" => "application/json; charset=utf-8",
         }
       end

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb

@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
     included do
       self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
 
       include ::Doorkeeper::AccessGrantMixin
 
@@ -13,12 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                optional: true,
                                inverse_of: :access_grants
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: false
-      else
-        validates :resource_owner_id, presence: true
-      end
-
       validates :application_id,
                 :token,
                 :expires_in,

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb

@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
 
     included do
       self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
 
       include ::Doorkeeper::AccessTokenMixin
 
@@ -13,10 +14,6 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
                                inverse_of: :access_tokens,
                                optional: true
 
-      if Doorkeeper.config.polymorphic_resource_owner?
-        belongs_to :resource_owner, polymorphic: true, optional: true
-      end
-
       validates :token, presence: true, uniqueness: { case_sensitive: true }
       validates :refresh_token, uniqueness: { case_sensitive: true }, if: :use_refresh_token?
 
@@ -47,6 +44,27 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
         column_names.include?("previous_refresh_token")
       end
 
+      # Returns non-expired and non-revoked access tokens
+      def not_expired
+        relation = where(revoked_at: nil)
+
+        if supports_expiration_time_math?
+          # have not reached the expiration time or it never expires
+          relation.where("#{expiration_time_sql} > ?", Time.now.utc).or(
+            relation.where(expires_in: nil)
+          )
+        else
+          ::Kernel.warn <<~WARNING.squish
+            [DOORKEEPER] Doorkeeper doesn't support expiration time math for your database adapter (#{adapter_name}).
+            Please add a class method `custom_expiration_time_sql` for your AccessToken class/mixin to provide a custom
+            SQL expression to calculate access token expiration time. See lib/doorkeeper/orm/active_record/mixins/access_token.rb
+            for more details.
+          WARNING
+
+          relation
+        end
+      end
+
       private
 
       def compute_doorkeeper_table_name